Password Credentials Flow (when previous flow can’t be used or during development).

Client Credentials Flow (the client can request an access token using only its client credentials)

Authorization Code Flow

The authorization code grant type is used to obtain both access tokens and refresh tokens and is optimized for
confidential clients. As a redirection-based flow, the client must be capable of interacting with the resource
owner’s user-agent (typically a web browser) and capable of receiving incoming requests (via redirection) from the
authorization server.

Password Credentials Flow

The resource owner password credentials grant type is suitable in cases where the resource owner has a trust
relationship with the client, such as the device operating system or a highly privileged application. The
authorization server should take special care when enabling this grant type, and only allow it when other flows are
not viable.

The grant type is suitable for clients capable of obtaining the resource owner’s credentials (username and password,
typically using an interactive form). It is also used to migrate existing clients using direct authentication
schemes such as HTTP Basic or Digest authentication to OAuth by converting the stored credentials to an access token.

Client Credentials Flow

The client can request an access token using only its client credentials (or other supported means of authentication)
when the client is requesting access to the protected resources under its control, or those of another resource owner
that have been previously arranged with the authorization server (the method of which is beyond the scope of this
specification).

The client credentials grant type MUST only be used by confidential clients.

Authorization Code flow

The Authorization Code flow is made up from two parts. At first your application asks to the user the permission to
access their data. If the user approves the OAuth2 server sends to the client an authorization code. In the second
part, the client POST the authorization code along with its client secret to the authority server in order to get the
access token.

Password Credentials Flow

This flow is suitable when the resource owner has a trust relationship with the client, such as its computer
operating system or a highly privileged application. Use this flow only when other flows are not viable or when you
need a fast way to test your application.

When using this approach the provider has knowledge on how to parse access tokens and extract grants from inside.
This information is quite valuable since it allows to do authorization at the API level, for example: